US law permits pre-emptive cyber strikes

Washington

A secret legal review has concluded the US president has the power to order pre-emptive cyber strikes if the US discovers credible evidence of a major digital attack against it is in the offing.

The New York Times reported on Monday that the policy will govern how the intelligence agencies can carry out searches of overseas computer networks for signs of potential attacks. If the president approves, it can attack adversaries with a destructive code - even if there is no declared war.

The review came as the US approved a five-fold expansion of its cyber-security force over the coming years in a bid to increase its ability to defend critical computer networks.

The Washington Post reported that the department's Cyber Command, which currently has a staff of about 900, will expand to about 4,900 troops and civilians.

Last November, Defense Secretary Leon Panetta conceded that US cyber-security needed more financial support and human capital.

The seriousness of the threat has been underscored by a string of sabotage attacks, including one in which a virus was used to wipe data from more than 30,000 computers at a Saudi Arabian state oil company.

Advertisement

According to The Times, John Brennan, who has been nominated to run the Central Intelligence Agency, played a central role in developing the administration's policies regarding cyber-warfare.

President Barack Obama is known to have approved the use of cyber-weapons only once, when he ordered an escalating series of cyber-attacks against Iran's nuclear enrichment facilities, The Times said.

One senior American official said that the reviewers had quickly determined that the cyber-weapons were so powerful that - like nuclear weapons - they should be unleashed only on the direct orders of the commander in chief, The Times noted.

International law allows any nation to defend itself from threats, and the United States has applied that concept to conduct pre-emptive attacks, the paper noted.

Under the new guidelines, the Pentagon would not be involved in defending against ordinary cyber-attacks on American companies or individuals, The Times said. That responsibility falls to the Department of Homeland Security.

But the military would become involved in cases of a major cyber-attack within the United States, the paper noted.